Case 2

(Hey wait.. what was “Case 1” ??)

What if Bob is not just an annoying customer of a local cafe but he is actually a malicious user within your enterprise network? What if he brings his own laptop with a bunch of hacking tools installed and connects it to the network by spoofing his MAC address to one of his co-workers? In this case, do we have better options to protect our network from Bob? Lucky for us, the answer is yes.

Thing is, MAC addresses are only used within a single broadcast domain like the subnet. So once a  packet that has MAC information left its broadcast domain, the MAC address is lost and replaced with sender’s IP address. In order to detect and capture the illegitimate use of a MAC address, it is important to track the MAC address across all areas of the network, since Bob may move between broadcast domains.



Sticky MAC address is one. This port security feature enables a port interface on your switch to retain dynamically learned MAC addresses when the switch is restarted or if the interface goes down and is brought back online.

Another way to prevent unauthorized entries is implementing Port mirroring(aka, SPAN port). This method is used to send a copy of every network packet encountered on one switch port or a whole VLAN to another port where it may be monitored such as NIDS(network intrusion detection system).

Seeing is believing

1. Sticky MAC address

2. SPAN Port


Please enter your comment!
Please enter your name here